Ignore improperly encoded signedpath AD elements

We have some reason to believe Microsoft and Heimdal are both using
the authdata value 142 for different purposes, leading to failures in
verify_ad_signedpath().  For better interoperability, treat such
tickets as unsigned, rather than invalid.

ticket: 6676
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23766 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index 50975580cc26951e1ea7ae22e8b3c9b946df1f34..b5de64de20cd9b2a7c201206e42ab732b4676846 100644 (file)
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context context,
     enc_sp.length = sp_authdata[0]->length;
 
     code = decode_krb5_ad_signedpath(&enc_sp, &sp);
-    if (code != 0)
+    if (code != 0) {
+        /* Treat an invalid signedpath authdata element as a missing one, since
+         * we believe MS is using the same number for something else. */
+        code = 0;
         goto cleanup;
+    }
 
     code = verify_ad_signedpath_checksum(context,
                                          krbtgt,